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Background 


The Research Report looked at the following functions 
of the ICO: 


e Audits of organisations to assess whether good 
data protection practice is being followed 


e Advisory visits to organisations giving practical 
advice on how to improve data protection 
practice 


The research looked at the levels of satisfaction with 
the audits and advisory visits 
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To establish whether the ICO is delivering an appropriate 
level of service 


To identify areas for improvement to inform future 
development 


Method 


To meet the ICO's research needs the following programme of research was carried out: 

e Data was collected from a sample of 56 organisations, out of the 199 which had received one of the 
ICO's audits, Information Risk Reviews (IRR) or Advisory Visits between January 2015 and December 
2016. 

e Of those 56, 30 organisations had received an Advisory Visit, 15 had had an IRR, and 11 had received a 
full audit. 


e This research was followed up by in depth one to one telephone interviews. The respondents were 
selected according to the data provided at the earlier stage to give a variety of feedback. 
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Pre visit ratings — how the respondents felt about the correspondence between them and 
the ICO before the visit to the site 


Pre visit ratings were wholly positive, with no negative ratings. At least 3 in 4 were very satisfied. 


% 


The helpfulness of the ICO contact you spoke to 
Ease of liaising with the ICO staff prior to the visit 


Information provided on why the visit was required 


Information provided concerning what would 
happen during the visit 


m Very satisfied m Fairly satisfied m Neither satisfied or dissatisfied Not very satisfied ™ Not at all satisfied m Can't remember 


Q4. How would you rate the correspondence you had with the ICO before your visit in regard to the following areas of information: 
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Improvements to pre-visit process 
Criticisms were extremely minor and overall data controllers reported that: 
e The ICO staff were pleasant and efficient to deal with 
e It was clear what they had to prepare, even if in a few cases it was difficult to prepare information 


e Information requested was largely already to hand through policies and procedures. Preparation of material wasn’t too 
time consuming and preparation time was accepted as part of the process 


e Several interviews with larger organisations suggested that the most effort in preparation was to co-ordinate colleagues 
to fit into the visit period, with a minority feeling that the ICO hadn't appreciated the complexity of the organisation. 


e There were very minor criticisms of timing delays. 
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The on-site visit: ratings 


88 
% 
Ratings of the visit were very positive with 5 | y 
over 4 in 5 giving the highest rating. 
g g g g Longer than About the same Shorter than 
expected length as expected expected 


The opening and closing meetings held were useful and 
informative 


The visit ran to schedule e 7 SS E 2 
The ICO representative was approachable e Te a S 


The information provided during the visit appeared to be | 
by someone who was knowledgeable and competent 


The ICO representative was professional [III T 


m Agree strongly W Agree slightly Neither agree or disagree E Disagree slightly E Disagree strongly Don't know 


Q7. How long was the visit from the ICO was it...?/Q8. To what extent would you agree or disagree with the following about the visit from the ICO: 
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The on site visit: expectations and improvements 


The majority of visits either met or exceeded expectations, with only 5% who thought it worse than expected. 


61 
34 


% 7 |] : 


Better than expected About the same as Worse than expected 
expected 


Any criticisms of the visit were extremely minor and overall data controllers reported that: 


e The ICO staff were pleasant and knowledgeable and appeared efficient in the work they did. They made data controllers feel at ease and 
not feeling as though they were being judged, but the tone was kept as helpful and informative. 


Criticisms related to: 


e The schedule being challenging. 
e The closing meetings were mentioned as being useful to understand any issues which they had to address. There seemed to be a 
mismatch sometimes in terms of what was said at the closing meeting and what appeared in the report. 


e Where there was a lack of knowledge of a sector this did not appear to impact excessively except for minor instances of 
recommendations being disputed. 


Q10. To what extent did the visit meet your expectations in terms of what you were looking for and what was received from the ICO? 
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Following the visit, the ICO produced a report for the organisation 


The majority rated the report positively. 


% - 

The length of the report was appropriate [iy e peers | 

The assurance rating awarded was considered and understood M 

The recommendations made were constructive and appropriate ME 

It provided clear and constructive advice [7 
It provided an accurate assessment of your organisations processes and | 

key risk areas i a. 

The content of the report was relevant and within the scope of the visit [i Sa 

It was received in a timely manner [iY ies pees; 

It was written by someone who appeared to be knowledgeable and a 
competent | 

E Agree strongly mAgreeslightly Neither agree or disagree MmDisagreeslightly Disagree strongly Don't know 


Q13. To what extent to you agree or disagree with the following about the report you received from the ICO after the visit? 
Base: all respondents 56 
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Comments on the ICO report: 


e Timeliness and knowledgeable 


e The report received positive comments during interviews. The report arrived on time if not a little earlier than 
expected. 


e Recommendations made in the report: 


The number of recommendations varied across the organisations. These were almost entirely seen as acceptable 
comments. The tone of recommendation that ‘its advisable to do’ rather than ‘you have to do’ was appreciated. 


Recommendations in the report had not always been discussed in the closing meeting 


There were some isolated issues of overlapping recommendations which could be laid out better 
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Impact of the report on the organisation 


The majority were positive about the impact of the report with only 2% giving negative ratings for two of the measures. 


% 
Assisted in the implementation of an action plan to improve data E o 
protection compliance 
Improved data protection processes within my organisations | «3 o O 
Raised awareness of the importance of data protection across the E | 
so 64 
organisation N: 


m Agree strongly m Agree slightly Æ Neither agree or disagree m Disagree slightly 


Disagree strongly m Don't know 


Q15. Since the visit, how has the visit and any following correspondence with the ICO impacted on your organisation? 
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Overall satisfaction 


The ICO achieves a very high overall satisfaction rating of 96% with 80% very satisfied 


2 2 
Very satisfied Fairly satisfied Neither satisfied Not very satisfied Not at all satisfied 
or dissatisfied 


Visits enable the organisations to learn from the experience. For those less confident in the data protection field, 
there is a genuine appreciation of attention from the ICO, which exceeds the information available on the website 
and the perceived ‘generic’ information via the helpline. 


Q10. To what extent did the visit meet your expectations in terms of what you were looking for and what was received from the ICO? 


Base: all respondents 56 
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Summary and Recommendations 


The ICO visits are largely viewed as positive, with little to improve upon — good ratings are given by visited organisations throughout - from setting 
up the visits through to end reports . There are some minor improvements which could make the visits even more satisfactory. 


Is there more the ICO could do to ask larger organisations or multi-site organisations about 
difficulties and enable organisations to do this more easily? 


Enabling organisations to 
co-ordinate the visit more 
easily 


Rear e ey Rene eee Raised expectations in the closing meeting makes the report more difficult to deal with. 


closing meeting and the 
report 


Although ICO knowledge of the sector isn't always expected by organisations it may be useful to be 


Rao eee redler open-minded to suggestions from the organisation about specific aspects of the sector. 


Having the report in a format which allows a management summary and recommendations to be 
Thee ear easily taken out and presented to management boards helps the data controller provide evidence 
P which is rubber stamped by the ICO. 


Case Studies: 


Advisory Visit - Criminal Justice Sector: 
e The Respondent acts as a Data Controller for a group of organisations that his own organisation represents. 


e It was felt to have been a helpful visit, although the report had some minor typing errors and he was promised an 
over arching report which didn't come to fruition as far as he is aware. 


e The report was well-used and the format enabled him to compile a “must, could, should” list for: 
e His data protection Impact Assessment 
e Providing information to the Management Board 
e Providing him with evidence to recommend what he believed to be essential action. 
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Case Studies: 


’ Audit — Health Sector: 


e The audit took place at an NHS Trust, which operates over multiple sites providing hospital and community 
services. 


e The respondent felt: 
e The visit could have been improved by taking advice from the organisation on not visiting too many sites, 
as all use the same process 
e The report focussed on the criticisms (which were largely correct) and toned down the positives. 


e The report was clear and with the right level of detail 


e The report has raised awareness of data protection in the organisation and made people more aware of 
\ policies 
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Case Studies: 


Audit — Local Authority Sector: 


e The local authority had a data breach and arranged a consensual audit with the ICO. 
e The respondent felt: 

e It was a large audit in a short space of time, and was hectic but successful 

e The report met their needs well and any minor errors were easily addressed. 


e The report gave the respondent evidence to support recommendations to senior managers. 
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Case Studies: 


Advisory Visit — Charity Sector: 


e The respondent had started to deal with data protection issues and didn't have much support in her organisation 
to help her get it right. 


e There was a positive response to the report which was described as ‘kind, practical, thoughtful and helpful ' 
e The report has been used: 
e For the Trustee Board 


e To provide their ISO 27001 gap analysis. The organisation went on to obtain ISO 27001 which has given 
them opportunities to obtain funding that they might not have otherwise received. 
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Case Studies: 


Advisory visit - Community Charity 


e A community charity who requested information from ICO and were delivered a visit which they felt privileged to 
receive 


e They found the visit very informative as it enabled: 
e Bespoke advice to be given 
e Staff to attend a presentation which made it a more ‘important’ issue in the organisation. 
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